Class 8 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
Administrative stuff Monday office hours moved to 2:30 – Will be 2:30 – 4 How was your break? Quiz graded – Discussion
Outline Anonymity concepts and background The Dining Cryptographers problem Anonymous – Chaum mixes – Mixminion Anonymous web browsing – Tor Problems with Tor
Anonymity Concepts Privacy – Confidentiality Anonymity/Pseudonymity – Unobservability – Unlinkability
Properties of eCash Unforgeability Non-reusability Anonymity – Untraceability – Unlinkability
Dining Cryptographers Three people toss coins: heads=1, tails=0 Menus hide right-hand coin XOR your coin flip result and left neighbor’s result Report value to everyone Report opposite value to send a single bit If the sum is odd, someone sent a message
Dining Cryptographers II Slow Error-prone Needs tamper detection Does not scale Provides unobservability
Unobservability k-anonymity (scalable dining cryptographers) – Must be implemented very carefully Link padding – Inefficient – Cover traffic knowledge
Unlinkability Sender X Receiver (Sender can’t identify receiver) Sender X Receiver (Receiver can’t identify sender) Sender X Receiver (Neither knows who the other is) – How do we handle authentication? Unobservability implies unlinkability (?)
For Bob from Alice For Carol from Alice For David from Alice Onion Encryption
Source routing with capabilities B, data S3 S2 S1 B S3 S2 S1 A
Message for Bob Wrapping for Carol Wrapping for Doug Onion Encryption II Bob Alice Wrapping for Edward Edward Doug Carol
Chaum Mixes Bob Alice Output in lexographic order
Global Adversary Bob Alice
Chaum Mix Cascade Bob Alice
Anonymous Reply Address for replies: Reply: Mix0 decrypts N,A; sends: Mix decrypting reply does not know destination Mix encrypting reply does not know source
Mixminion AB C D E Bob A,B,C,D,E Alice Bob
Problems with Mixminon Centralized entities required – Availability failure – Anonymity failure (how?) Malicious nodes: – Control entry and exit – Unlikely
Anonymous High-latency Low-throughput Provides unlinkability – Have to be careful about authentication No default end-to-end confidentiality (PGP) – Actually, there is for replies Secure against global adversary
Anonymous Web Browsing Low-latency Medium-throughput Server does not know client Provides sender unlinkability – Have to be careful about authentication No default end-to-end confidentiality (SSL) NOT secure against global adversary
Tor ABC TCP over TCP (UGH!)
Anonymous Web Services Web service does not know client Client does not know web service Provides sender and receiver unlinkability Rendezvous
Tor Hidden Services ABCDEF
Outline Anonymity refresher Tor anonymous web browsing Attacks – Anonymity – Latency-based – Malicious nodes
Problems with Tor Global adversary – What are the possible attacks? – Long term intersection – Defined as NOT HANDLED by Tor – Functional vs. actual? Packet counting Packet sampling
Problems with Tor “Centralized” entities required – Availability failure – Anonymity failure (how?) Malicious nodes: – Control entry and exit Hopefully unlikely – entry guards Preferential attraction of clients – Eureka! We can lie!
Problems with Tor II Information leakage from software – Web browser language – System time – How else? Malicious attacks on software – How?
Problems with Tor III Information leakage from design: – Latency (Hopper et al.) Unlinkability failure: – Latency (Hopper et al.) See a pattern? Prevention?
Global Adversary Bob Alice Mix server
Entire Tor network
Global Adversary vs. Tor Bob Alice Entire Tor network
Problems with Tor Preferential attraction of clients – Eureka! We can lie! Information leakage from software Information leakage and linkability failure from latency (Hopper et al.) Malicious nodes – Control entry and exit Hopefully unlikely – entry guards
Tor Network Positioning Attack ABCM
Tor Linkability Attack ABC
Outline Anonymity refresher Tor anonymous web browsing Attacks – Anonymity – Latency-based – Malicious nodes
Tor Selective DoS Attack ABC
Tor reliability R DoS = (1-t) 2 + (tf) 3 (1-t) 2 dominates
A defense –entry guards Useful, but ≤ 3 guards may decrease resilience Other mixes
Questions? Reading discussion